Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 1045

VMTP: Versatile Message Transaction Protocol: Protocol specification

Pages: 128
Experimental
Part 1 of 4 – Pages 1 to 28
None   None   Next

Top   ToC   RFC1045 - Page 1
Network Working Group                                     David Cheriton
Request for Comments:  1045                          Stanford University
                                                           February 1988


              VMTP: VERSATILE MESSAGE TRANSACTION PROTOCOL
                         Protocol Specification



STATUS OF THIS MEMO

This RFC describes a protocol proposed as a standard for the Internet
community.  Comments are encouraged.  Distribution of this document is
unlimited.


OVERVIEW

This memo specifies the Versatile Message Transaction Protocol (VMTP)
[Version 0.7 of 19-Feb-88], a transport protocol specifically designed
to support the transaction model of communication, as exemplified by
remote procedure call (RPC).  The full function of VMTP, including
support for security, real-time, asynchronous message exchanges,
streaming, multicast and idempotency, provides a rich selection to the
VMTP user level.  Subsettability allows the VMTP module for particular
clients and servers to be specialized and simplified to the services
actually required.  Examples of such simple clients and servers include
PROM network bootload programs, network boot servers, data sensors and
simple controllers, to mention but a few examples.


Top   ToC   RFC1045 - Page 2
Table of Contents

 1. Introduction                                                       1

   1.1. Motivation                                                     2
       1.1.1. Poor RPC Performance                                     2
       1.1.2. Weak Naming                                              3
       1.1.3. Function Poor                                            3
   1.2. Relation to Other Protocols                                    4
   1.3. Document Overview                                              5

 2. Protocol Overview                                                  6

   2.1. Entities, Processes and Principals                             7
   2.2. Entity Domains                                                 9
   2.3. Message Transactions                                          10
   2.4. Request and Response Messages                                 11
   2.5. Reliability                                                   12
       2.5.1. Transaction Identifiers                                 13
       2.5.2. Checksum                                                14
       2.5.3. Request and Response Acknowledgment                     14
       2.5.4. Retransmissions                                         15
       2.5.5. Timeouts                                                15
       2.5.6. Rate Control                                            18
   2.6. Security                                                      19
   2.7. Multicast                                                     21
   2.8. Real-time Communication                                       22
   2.9. Forwarded Message Transactions                                24
   2.10. VMTP Management                                              25
   2.11. Streamed Message Transactions                                25
   2.12. Fault-Tolerant Applications                                  28
   2.13. Packet Groups                                                29
   2.14. Runs of Packet Groups                                        31
   2.15. Byte Order                                                   32
   2.16. Minimal VMTP Implementation                                  33
   2.17. Message vs. Procedural Request Handling                      33
   2.18. Bibliography                                                 34

 3. VMTP Packet Formats                                               37

   3.1. Entity Identifier Format                                      37
   3.2. Packet Fields                                                 38
Top   ToC   RFC1045 - Page 3
   3.3. Request Packet                                                45
   3.4. Response Packet                                               47

 4. Client Protocol Operation                                         49

   4.1. Client State Record Fields                                    49
   4.2. Client Protocol States                                        51
   4.3. State Transition Diagrams                                     51
   4.4. User Interface                                                52
   4.5. Event Processing                                              53
   4.6. Client User-invoked Events                                    54
       4.6.1. Send                                                    54
       4.6.2. GetResponse                                             56
   4.7. Packet Arrival                                                56
       4.7.1. Response                                                58
   4.8. Management Operations                                         61
       4.8.1. HandleNoCSR                                             62
   4.9. Timeouts                                                      64

 5. Server Protocol Operation                                         66

   5.1. Remote Client State Record Fields                             66
   5.2. Remote Client Protocol States                                 66
   5.3. State Transition Diagrams                                     67
   5.4. User Interface                                                69
   5.5. Event Processing                                              70
   5.6. Server User-invoked Events                                    71
       5.6.1. Receive                                                 71
       5.6.2. Respond                                                 72
       5.6.3. Forward                                                 73
       5.6.4. Other Functions                                         74
   5.7. Request Packet Arrival                                        74
   5.8. Management Operations                                         78
       5.8.1. HandleRequestNoCSR                                      79
   5.9. Timeouts                                                      82

 6. Concluding Remarks                                                84

 I. Standard VMTP Response Codes                                      85

 II. VMTP RPC Presentation Protocol                                   87
Top   ToC   RFC1045 - Page 4
   II.1. Request Code Management                                      87

 III. VMTP Management Procedures                                      89

   III.1. Entity Group Management                                    100
   III.2. VMTP Management Digital Signatures                         101

 IV. VMTP Entity Identifier Domains                                  102

   IV.1. Domain 1                                                    102
   IV.2. Domain 3                                                    104
   IV.3. Other Domains                                               105
   IV.4. Decentralized Entity Identifier Allocation                  105

 V. Authentication Domains                                           107

   V.1. Authentication Domain 1                                      107
   V.2. Other Authentication Domains                                 107

 VI. IP Implementation                                               108

 VII. Implementation Notes                                           109

   VII.1. Mapping Data Structures                                    109
   VII.2. Client Data Structures                                     111
   VII.3. Server Data Structures                                     111
   VII.4. Packet Group transmission                                  112
   VII.5. VMTP Management Module                                     113
   VII.6. Timeout Handling                                           114
   VII.7. Timeout Values                                             114
   VII.8. Packet Reception                                           115
   VII.9. Streaming                                                  116
   VII.10. Implementation Experience                                 117

 VIII. UNIX 4.3 BSD Kernel Interface for VMTP                        118

 Index                                                               120
Top   ToC   RFC1045 - Page 5
List of Figures

   Figure 1-1:   Relation to Other Protocols                           4
   Figure 3-1:   Request Packet Format                                45
   Figure 3-2:   Response Packet Format                               47
   Figure 4-1:   Client State Transitions                             52
   Figure 5-1:   Remote Client State Transitions                      68
   Figure III-1:   Authenticator Format                               92
   Figure VII-1:   Mapping Client Identifier to CSR                  109
   Figure VII-2:   Mapping Server Identifiers                        110
   Figure VII-3:   Mapping Group Identifiers                         111
Top   ToC   RFC1045 - Page 6
1. Introduction

The Versatile Message Transaction Protocol (VMTP) is a transport
protocol designed to support remote procedure call (RPC) and general
transaction-oriented communication.  By transaction-oriented
communication, we mean that:

   - Communication is request-response:  A client sends a request
     for a service to a server, the request is processed, and the
     server responds.  For example, a client may ask for the next
     page of a file as the service.  The transaction is terminated
     by the server responding with the next page.

   - A transaction is initiated as part of sending a request to a
     server and terminated by the server responding.  There are no
     separate operations for setting up or terminating associations
     between clients and servers at the transport level.

   - The server is free to discard communication state about a
     client between transactions without causing incorrect behavior
     or failures.

The term message transaction (or transaction) is used in the reminder of
this document for a request-response exchange in the sense described
above.

VMTP handles the error detection, retransmission, duplicate suppression
and, optionally, security required for transport-level end-to-end
reliability.

The protocol is designed to provide a range of behaviors within the
transaction model, including:

   - Minimal two packet exchanges for short, simple transactions.

   - Streaming of multi-packet requests and responses for efficient
     data transfer.

   - Datagram and multicast communication as an extension of the
     transaction model.

Example Uses:

   - Page-level file access - VMTP is intended as the transport
     level for file access, allowing simple, efficient operation on
     a local network.  In particular, VMTP is appropriate for use
     by diskless workstations accessing shared network file
Top   ToC   RFC1045 - Page 7
     servers.

   - Distributed programming - VMTP is intended to provide an
     efficient transport level protocol for remote procedure call
     implementations, distributed object-oriented systems plus
     message-based systems that conform to the request-response
     model.

   - Multicast communication with groups of servers to:  locate a
     specific object within the group, update a replicated object,
     synchronize the commitment of a distributed transaction, etc.

   - Distributed real-time control with prioritized message
     handling, including datagrams, multicast and asynchronous
     calls.

The protocol is designed to operate on top of a simple unreliable
datagram service, such as is provided by IP.


1.1. Motivation

VMTP was designed to address three categories of deficiencies with
existing transport protocols in the Internet architecture.  We use TCP
as the key current transport protocol for comparison.


1.1.1. Poor RPC Performance

First, current protocols provide poor performance for remote procedure
call (RPC) and network file access.  This is attributable to three key
causes:

   - TCP requires excessive packets for RPC, especially for
     isolated calls.  In particular, connection setup and clear
     generates extra packets over that needed for VMTP to support
     RPC.

   - TCP is difficult to implement, speaking purely from the
     empirical experience over the last 10 years.  VMTP was
     designed concurrently with its implementation, with focus on
     making it easy to implement and providing sensible subsets of
     its functionality.

   - TCP handles packet loss due to overruns poorly.  We claim that
     overruns are the key source of packet loss in a
     high-performance RPC environment and, with the increasing
Top   ToC   RFC1045 - Page 8
     performance of networks, will continue to be the key source.
     (Older machines and network interfaces cannot keep up with new
     machines and network interfaces.  Also, low-end network
     interfaces for high-speed networks have limited receive
     buffering.)

VMTP is designed for ease of implementation and efficient RPC.  In
addition, it provides selective retransmission with rate-based flow
control, thus addressing all of the above issues.


1.1.2. Weak Naming

Second, current protocols provide inadequate naming of transport-level
endpoints because the names are based on IP addresses.  For example, a
TCP endpoint is named by an Internet address and port identifier.
Unfortunately, this makes the endpoint tied to a particular host
interface, not specifically the process-level state associated with the
transport-level endpoint.  In particular, this form of naming causes
problems for process migration, mobile hosts and multi-homed hosts.
VMTP provides host-address independent names, thereby solving the above
mentioned problems.

In addition, TCP provides no security and reliability guarantees on the
dynamically allocated names.  In particular, other than well-known
ports, (host-addr, port-id)-tuples can change meaning on reboot
following a crash.  VMTP provides large identifiers with guarantee of
stability, meaning that either the identifier never changes in meaning
or else remains invalid for a significant time before becoming valid
again.


1.1.3. Function Poor

TCP does not support multicast, real-time datagrams or security.  In
fact, it only supports pair-wise, long-term, streamed reliable
interchanges.  Yet, multicast is of growing importance and is being
developed for the Internet (see RFC 966 and 988).  Also, a datagram
facility with the same naming, transmission and reception facilities as
the normal transport level is a powerful asset for real-time and
parallel applications.  Finally, security is a basic requirement in an
increasing number of environments.  We note that security is natural to
implement at the transport level to provide end-to-end security (as
opposed to (inter)network level security).  Without security at the
transport level, a transport level protocol cannot guarantee the
standard transport level service definition in the presence of an
intruder.  In particular, the intruder can interject packets or modify
Top   ToC   RFC1045 - Page 9
packets while updating the checksum, making mockery out of the
transport-level claim of "reliable delivery".

In contrast, VMTP provides multicast, real-time datagrams and security,
addressing precisely these weaknesses.

In general, VMTP is designed with the next generation of communication
systems in mind.  These communication systems are characterized as
follows.  RPC, page-level file access and other request-response
behavior dominates.  In addition, the communication substrate, both
local and wide-area, provides high data rates, low error rates and
relatively low delay.  Finally, intelligent, high-performance network
interfaces are common and in fact required to achieve performance that
approximates the network capability.  However, VMTP is also designed to
function acceptably with existing networks and network interfaces.


1.2. Relation to Other Protocols

VMTP is a transport protocol that fits into the layered Internet
protocol environment.  Figure 1-1 illustrates the place of VMTP in the
protocol hierarchy.


 +-----------+ +----+ +-----------------+ +------+
 |File Access| |Time| |Program Execution| |Naming|... Application
 +-----------+ +----+ +-----------------+ +------+      Layer
       |           |           |             |      |
       +-----------+-----------+-------------+------+
                               |
                        +------------------+
                        | RPC Presentation |          Presentation
                        +------------------+          Layer
                                  |
            +------+          +--------+
            |  TCP |          | VMTP   |              Transport
            +------+          +--------+              Layer
                |                  |
           +-----------------------------------+
           |       Internet Protocol & ICMP    |      Internetwork
           +-----------------------------------+      Layer

               Figure 1-1:   Relation to Other Protocols

The RPC presentation level is not currently defined in the Internet
suite of protocols.  Appendix II defines a proposed RPC presentation
level for use with VMTP and assumed for the definition of the VMTP
management procedures.  There is also a need for the definition of the
Top   ToC   RFC1045 - Page 10
Application layer protocols listed above.

If internetwork services are not required, VMTP can be used without the
IP layer, layered directly on top of the network or data link layers.


1.3. Document Overview

The next chapter gives an overview of the protocol, covering naming,
message structure, reliability, flow control, streaming, real-time,
security, byte-ordering and management.  Chapter 3 describes the VMTP
packet formats.  Chapter 4 describes the client VMTP protocol operation
in terms of pseudo-code for event handling.  Chapter 5 describes the
server VMTP protocol operation in terms of pseudo-code for event
handling.  Chapter 6 summarizes the state of the protocol, some
remaining issues and expected directions for the future.  Appendix I
lists some standard Response codes.  Appendix II describes the RPC
presentation protocol proposed for VMTP and used with the VMTP
management procedures.  Appendix III lists the VMTP management
procedures.  Appendix IV proposes initial approaches for handling entity
identification for VMTP.  Appendix V proposes initial authentication
domains for VMTP.  Appendix VI provides some details for implementing
VMTP on top of IP.  Appendix VII provides some suggestions on host
implementation of VMTP, focusing on data structures and support
functions.  Appendix VIII describes a proposed program interface for
UNIX 4.3 BSD and its descendants and related systems.
Top   ToC   RFC1045 - Page 11
2. Protocol Overview

VMTP provides an efficient, reliable, optionally secure transport
service in the message transaction or request-response model with the
following features:

   - Host address-independent naming with provision for multiple
     forms of names for endpoints as well as associated (security)
     principals.  (See Sections 2.1, 2.2, 3.1 and Appendix IV.)

   - Multi-packet request and response messages, with a maximum
     size of 4 megaoctets per message.  (Sections 2.3 and 2.14.)

   - Selective retransmission. (Section 2.13.)  and rate-based flow
     control to reduce overrun and the cost of overruns.  (Section
     2.5.6.)

   - Secure message transactions with provision for a variety of
     encryption schemes.  (Section 2.6.)

   - Multicast message transactions with multiple response messages
     per request message.  (Section 2.7.)

   - Support for real-time communication with idempotent message
     transactions with minimal server overhead and state (Section
     2.5.3), datagram request message transactions with no
     response, optional header-only checksum, priority processing
     of transactions, conditional delivery and preemptive handling
     of requests (Section 2.8)

   - Forwarded message transactions as an optimization for certain
     forms of nested remote procedure calls or message
     transactions.  (Section 2.9.)

   - Multiple outstanding (asynchronous) message transactions per
     client.  (Section 2.11.)

   - An integrated management module, defined with a remote
     procedure call interface on top of VMTP providing a variety of
     communication services (Section 2.10.)

   - Simple subset implementation for simple clients and simple
     servers.  (Section 2.16.)

This chapter provides an overview of the protocol as introduction to the
basic ideas and as preparation for the subsequent chapters that describe
the packet formats and event processing procedures in detail.
Top   ToC   RFC1045 - Page 12
In overview, VMTP provides transport communication between network-
visible entities via message transactions.  A message transaction
consists of a request message sent by the client, or requestor, to a
group of server entities followed by zero or more response messages to
the client, at most one from each server entity.  A message is
structured as a message control portion and a segment data portion.  A
message is transmitted as one or more packet groups.  A packet group  is
one or more packets (up to a maximum of 32 packets) grouped by the
protocol for acknowledgment, sequencing, selective retransmission and
rate control.

Entities and VMTP operations are managed using a VMTP management
mechanism that is accessed through a procedural interface (RPC)
implemented on top of VMTP.  In particular, information about a remote
entity is obtained and maintained using the Probe VMTP management
operation.  Also, acknowledgment information and requests for
retransmission are sent as notify requests to the management module.
(In the following description, reference to an "acknowledgment" of a
request or a response refers to a management-level notify operation that
is acknowledging the request or response.)


2.1. Entities, Processes and Principals

VMTP defines and uses three main types of identifiers:  entity
identifiers, process identifiers and principal identifiers, each 64-bits
in length.  Communication takes place between network-visible entities,
typically mapping to, or representing, a message port or procedure
invocation.  Thus, entities are the VMTP communication endpoints.  The
process associated with each entity designates the agent behind the
communication activity for purposes of resource allocation and
management.  For example, when a lock is requested on a file, the lock
is associated with the process, not the requesting entity, allowing a
process to use multiple entity identifiers to perform operations without
lock conflict between these entities.  The principal associated with an
entity specifies the permissions, security and accounting designation
associated with the entity.  The process and principal identifiers are
included in VMTP solely to make these values available to VMTP users
with the security and efficiency provided by VMTP.  Only the entity
identifiers are actively used by the protocol.

Entity identifiers are required to have three properties;

Uniqueness      Each entity identifier is uniquely defined at any given
                time.  (An entity identifier may be reused over time.)

Stability       An entity identifier does not change between valid
Top   ToC   RFC1045 - Page 13
                meanings without suitable provision for removing
                references to the entity identifier.  Certain entity
                identifiers are strictly stable, (i.e. never changing
                meaning), typically being administratively assigned
                (although they need not be bound to a valid entity at
                all times), often called well-known identifiers.  All
                other entity identifiers are required to be T-stable,
                not change meaning without having remained invalid for
                at least a time interval T.

Host address independent
                An entity identifier is unique independent of the host
                address of its current host.  Moreover, an entity
                identifier is not tied to a single Internet host
                address.  An entity can migrate between hosts, reside on
                a mobile host that changes Internet addresses or reside
                on a multi-homed host.  It is up to the VMTP
                implementation to determine and maintain up to date the
                host addresses of entities with which it is
                communicating.

The stability of entity identifiers guarantees that an entity identifier
represents the same logical communication entity and principal (in the
security sense) over the time that it is valid.  For example, if an
entity identifier is authenticated as having the privileges of a given
user account, it continues to have those privileges as long as it is
continuously valid (unless some explicit notice is provided otherwise).
Thus, a file server need not fully authenticate the entity on every file
access request.  With T-stable identifiers, periodically checking the
validity of an entity identifier with period less than T seconds detects
a change in entity identifier validity.

A group of entities can form an entity group, which is a set of zero or
more entities identified by a single entity identifier.  For example,
one can have a single entity identifier that identifies the group of
name servers.  An entity identifier representing an entity group is
drawn from the same name space as entity identifiers.  However, single
entity identifiers are flagged as such by a bit in the entity
identifier, indicating that the identifier is known to identify at most
one entity.  In addition to the group bit, each entity identifier
includes other standard type flags.  One flag indicates whether the
identifier is an alias for an entity in another domain (See Section 2.2
below.).  Another flag indicates, for an entity group identifier,
whether the identifier is a restricted group or not.  A restricted group
is one in which an entity can be added only by another entity with group
management authorization.  With an unrestricted group, an entity is
allowed to add itself.  If an entity identifier does not represent a
Top   ToC   RFC1045 - Page 14
group, a type bit indicates whether the entity uses big-endian or
little-endian data representation (corresponding to Motorola 680X0 and
VAX byte orders, respectively).  Further specification of the format of
entity identifiers is contained in Section 3.1 and Appendix IV.

An entity identifier identifies a Client, a Server or a group of
Servers <1>.  A Client is always identified by a T-stable identifier.  A
server or group of servers may be identified by a a T-stable identifier
(group or single entity) or by strictly stable (statically assigned)
entity group identifier.  The same T-stable identifier can be used to
identify a Client and Server simultaneously as long as both are
logically associated with the same entity.  The state required for
reliable, secure communication between entities is maintained in client
state records (CSRs), which include the entity identifier of the Client,
its principal, its current or next transaction identifier and so on.


2.2. Entity Domains

An entity domain is an administration or an administration mechanism
that guarantees the three required entity identifier properties of
uniqueness, stability and host address independence for the entities it
administers.  That is, entity identifiers are only guaranteed to be
unique and stable within one entity domain.  For example, the set of all
Internet hosts may function as one domain.  Independently, the set of
hosts local to one autonomous network may function as a separate domain.
Each entity domain is identified by an entity domain identifier, Domain.
Only entities within the same domain may communicate directly via VMTP.
However, hosts and entities may participate in multiple entity domains
simultaneously, possibly with different entity identifiers.  For
example, a file server may participate in multiple entity domains in
order to provide file service to each domain.  Each entity domain
specifies the algorithms for allocation, interpretation and mapping of
entity identifiers.

Domains are necessary because it does not appear feasible to specify one
universal VMTP entity identification administration that covers all
entities for all time.  Domains limit the number of entities that need
to be managed to maintain the uniqueness and stability of the entity

_______________

<1>   Terms such as Client, Server, Request, Response, etc.  are
capitalized in this document when they refer to their specific meaning
in VMTP.
Top   ToC   RFC1045 - Page 15
name space.  Domains can also serve to separate entities of different
security levels.  For instance, allocation of a unclassified entity
identifier cannot conflict with secret level entity identifiers because
the former is interpreted only in the unclassified domain, which is
disjoint from the secret domain.

It is intended that there be a small number of domains.  In particular,
there should be one (or a few) domains per installation "type", rather
than per installation.  For example, the Internet is expected to use one
domain per security level, resulting in at most 8 different domains.
Cluster-based internetwork architectures, those with a local cluster
protocol distinct from the wide-area protocol, may use one domain for
local use and one for wide-area use.

Additional details on the specification of specific domains is provided
in Appendix IV.


2.3. Message Transactions

The message transaction is the unit of interaction between a Client that
initiates the transaction and one or more Servers.  A message
transaction starts with a request message  generated by a client.  At
the service interface, a server becomes involved with a transaction by
receiving and accepting the request.  A server terminates its
involvement with a transaction by sending a response message.  In a
group message transaction, the server entity designated by the client
corresponds to a group of entities.  In this case, each server in the
group receives a copy of the request.  In the client's view, the
transaction is terminated when it receives the response message or, in
the case of a group message transaction, when it receives the last
response message.  Because it is normally impractical to determine when
the last response message has been received.  the current transaction is
terminated by VMTP when the next transaction is initiated.

Within an entity domain, a transaction is uniquely identified by the
tuple (Client, Transaction, ForwardCount).  where Transaction is a
32-bit number and ForwardCount is a 4-bit value.  A Client uses
monotonically increasing Transaction identifiers for new message
transactions.  Normally, the next higher transaction number, modulo
2**32, is used for the next message transaction, although there are
cases in which it skips a small range of Transaction identifiers.  (See
the description of the STI control flag.)  The ForwardCount is used when
a message transaction is forwarded and is zero otherwise.

A Client generates a stream of message transactions with increasing
transaction identifiers, directed at a diversity of Servers.  We say a
Top   ToC   RFC1045 - Page 16
Client has a transaction outstanding if it has invoked a message
transaction, but has not received the last Response (or possibly any
Response).  Normally, a Client has only one transaction outstanding at a
time.  However, VMTP allows a Client to have multiple message
transactions outstanding simultaneously, supporting streamed,
asynchronous remote procedure call invocations.  In addition, VMTP
supports nested calls where, for example, procedure A calls procedure B
which calls procedure C, each on a separate host with different client
entity identifiers for each call but identified with the same process
and principal.


2.4. Request and Response Messages

A message transaction consists of a request message and one or more
Response messages.  A message is structured as message control block
(MCB) and segment data, passed as parameters, as suggested below.

  +-----------------------+
  | Message Control Block |
  +-----------------------+
  +-----------------------------------+
  |       segment data                |
  +-----------------------------------+

In the request message, the MCB specifies control information about the
request plus an optional data segment.  The MCB has the following
format:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 +                         ServerEntityId  (8 octets)            +
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |   Flags       |         RequestCode                           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 +                         CoresidentEntity (8 octets)           +
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 >                         User Data (12 octets)                 <
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                         MsgDelivery                           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                         SegmentSize                           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The ServerEntityId is the entity to which the Request MCB is to be sent
(or was sent, in the case of reception).  The Flags indicate various
options in the request and response handling as well as whether the
Top   ToC   RFC1045 - Page 17
CoresidentEntity, MsgDelivery and SegmentSize fields are in use.  The
RequestCode field specifies the type of Request.  It is analogous to a
packet type field of the Ethernet, acting as a switch for higher-level
protocols.  The CoresidentEntity field, if used, designates a subgroup
of the ServerEntityId group to which the Request should be routed,
namely those members that are co-resident with the specified entity (or
entity group).  The primary intended use is to specify the manager for a
particular service that is co-resident with a particular entity, using
the well-known entity group identifier for the service manager in the
ServerEntityId field and the identifier for the entity in the
CoresidentEntity field.  The next 12 octets are user- or
application-specified.

The MsgDelivery field is optionally used by the RPC or user level to
specify the portions of the segment data to transmit and on reception,
the portions received.  It provides the client and server with
(optional) access to, and responsibility for, a simple selective
transmission and reception facility.  For example, a client may request
retransmission of just those portions of the segment that it failed to
receive as part of the original Response.  The primary intended use is
to support highly efficient multi-packet reading from a file server.
Exploiting user-level selective retransmission using the MsgDelivery
field, the file server VMTP module need not save multi-packet Responses
for retransmission.  Retransmissions, when needed, are instead handled
directly from the file server buffers.

The SegmentSize field indicates the size of the data segment, if
present.  The CoresidentEntity, MsgDelivery and SegmentSize fields are
usable as additional user data if they are not otherwise used.

The Flags field provides a simple mechanism for the user level to
communicate its use of VMTP options with the VMTP module as well as for
VMTP modules to communicate this use among themselves.  The use of these
options is generally fixed for each remote procedure so that an RPC
mechanism using VMTP can treat the Flags as an integral part of the
RequestCode field for the purpose of demultiplexing to the correct stub.

A Response message control block follows the same format except the
Response is sent from the Server to the Client and there is no
Coresident Entity field (and thus 20 octets of user data).


2.5. Reliability

VMTP provides reliable, sequenced transfer of request and response
messages as well as several variants, such as unreliable datagram
requests.  The reliability mechanisms include: transaction identifiers,
Top   ToC   RFC1045 - Page 18
checksums, positive acknowledgment of messages and timeout and
retransmission of lost packets.


2.5.1. Transaction Identifiers

Each message transaction is uniquely identified by the pair (Client,
Transaction).  (We defer discussion of the ForwardCount field to Section
2.9.)  The 32-bit transaction identifier is initialized to a random
value when the Client entity is created or allocated its entity
identifier.  The transaction identifier is incremented at the end of
each message transaction.  All Responses with the same specified
(Client, Transaction) pair are associated with this Request.

The transaction identifier is used for duplicate suppression at the
Server.  A Server maintains a state record for each Client for which it
is processing a Request, identified by (Client, Transaction).  A Request
with the same (Client, Transaction) pair is discarded as a duplicate.
(The ForwardCount field must also be equal.)  Normally, this record is
retained for some period after the Response is sent, allowing the Server
to filter out subsequent duplicates of this Request.  When a Request
arrives and the Server does not have a state record for the sending
Client, the Server takes one of three actions:

   1. The Server may send a Probe request, a simple query
      operation, to the VMTP management module associated with the
      requesting Client to determine the Client's current
      Transaction identifier (and other information), initialize a
      new state record from this information, and then process the
      Request as above.

   2. The Server may reason that the Request must be a new request
      because it does not have a state record for this Client if it
      keeps these state records for the maximum packet lifetime of
      packets in the network (plus the maximum VMTP retransmission
      time) and it has not been rebooted within this time period.
      That is, if the Request is not new either the Request would
      have exceeded the maximum packet lifetime or else the Server
      would have a state record for the Client.

   3. The Server may know that the Request is idempotent or can be
      safely redone so it need not care whether the Request is a
      duplicate or not.  For example, a request for the current
      time can be responded to with the current time without being
      concerned whether the Request is a duplicate.  The Response
      is discarded at the Client if it is no longer of interest.
Top   ToC   RFC1045 - Page 19
2.5.2. Checksum

Each VMTP packet contains a checksum to allow the receiver to detect
corrupted packets independent of lower level checks.  The checksum field
is 32 bits, providing greater protection than the standard 16-bit IP
checksum (in combination with an improved checksum algorithm).  The
large packets, high packet rates and general network characteristics
expected in the future warrant a stronger checksum mechanism.

The checksum normally covers both the VMTP header and the segment data.
Optionally (for real-time applications), the checksum may apply only to
the packet header, as indicated by the HCO control bit being set in the
header.  The checksum field is placed at the end of the packet to allow
it to be calculated as part of a software copy or as part of a hardware
transmission or reception packet processing pipeline, as expected in the
next generation of network interfaces.  Note that the number of header
and data octets is an integral multiple of 8 because VMTP requires that
the segment data be padded to be a multiple of 64 bits.  The checksum
field is appended after the padding, if any.  The actual algorithm is
described in Section 3.2.

A zero checksum field indicates that no checksum was transmitted with
the packet.  VMTP may be used without a checksum only when there is a
host-to-host error detection mechanism and the VMTP security facility is
not being used.  For example, one could rely on the Ethernet CRC if
communication is restricted to hosts on the same Ethernet and the
network interfaces are considered sufficiently reliable.


2.5.3. Request and Response Acknowledgment

VMTP assumes an unreliable datagram network and internetwork interface.
To guarantee delivery of Requests and Response, VMTP uses positive
acknowledgments, retransmissions and timeouts.

A Request is normally acknowledged by receipt of a Response associated
with the Request, i.e. with the same (Client, Transaction).  With
streamed message transactions, it may also be acknowledged by a
subsequent Response that acknowledges previous Requests in addition to
the transaction it explicitly identifies.  A Response may be explicitly
acknowledged by a NotifyVmtpServer operation requested of the manager
for the Server.  In the case of streaming, this is a cumulative
acknowledgment, acknowledging all Responses with a lower transaction
identifier as well.)  In addition, with non-streamed communication, a
subsequent Request from the same Client acknowledges Responses to all
previous message transactions (at least in the sense that either the
client received a Response or is no longer interested in Responses to
Top   ToC   RFC1045 - Page 20
those earlier message transactions).  Finally, a client response timeout
(at the server) acknowledges a Response at least in the sense that the
server need not be prepared to retransmit the Response subsequently.
Note that there is no end-to-end guarantee of the Response being
received by the client at the application level.


2.5.4. Retransmissions

In general, a Request or Response is retransmitted periodically until
acknowledged as above, up to some maximum number of retransmissions.
VMTP uses parameters RequestRetries(Server) and ResponseRetries(Client)
that indicate the number of retransmissions for the server and client
respectively before giving up.  We suggest the value 5 be used for both
parameters based on our experience with VMTP and Internet packet loss.
Smaller values (such as 3) could be used in low loss environments in
which fast detection of failed hosts or communication channels is
required.  Larger values should be used in high loss environments where
transport-level persistence is important.

In a low loss environment, a retransmission only includes the MCB and
not the segment data of the Request or Response, resulting in a single
(short) packet on retransmission.  The intended recipient of the
retransmission can request selective retransmission of all or part of
the segment data as necessary.  The selective retransmission mechanism
is described in Section 2.13.

If a Response is specified as idempotent, the Response is neither
retransmitted nor stored for retransmission.  Instead, the Client must
retransmit the Request to effectively get the Response retransmitted.
The server VMTP module responds to retransmissions of the Request by
passing the Request on to the server again to have it regenerate the
Response (by redoing the operation), rather than saving a copy of the
Response.  Only Request packets for the last transaction from this
client are passed on in this fashion; older Request packets from this
client are discarded as delayed duplicates.  If a Response is not
idempotent, the VMTP module must ensure it has a copy of the Response
for retransmission either by making a copy of the Response (either
physically or copy-on-write) or by preventing the Server from continuing
until the Response is acknowledged.


2.5.5. Timeouts

There is one client timer for each Client with an outstanding
transaction.  Similarly, there is one server timer for each Client
transaction that is "active" at the server, i.e. there is a transaction
Top   ToC   RFC1045 - Page 21
record for a Request from the Client.

When the client transmits a new Request (without streaming), the client
timer  is set to roughly the time expected for the Response to be
returned.  On timeout, the Request is retransmitted with the APG
(Acknowledge Packet Group) bit set.  The timeout is reset to the
expected roundtrip time to the Server because an acknowledgment should
be returned immediately unless a Response has been sent.  The Request
may also be retransmitted in response to receipt of a VMTP management
operation indicating that selected portions of the Request message
segment need to be retransmitted.  With streaming, the timeout applies
to the oldest outstanding message transaction in the run of outstanding
message transactions.  Without streaming, there is one message
transaction in the run, reducing to the previous situation.  After the
first packet of a Response is received, the Client resets the timeout to
be the time expected before the next packet in the Response packet group
is received, assuming it is a multi-packet Response.  If not, the timer
is stopped.  Finally, the client timer is used to timeout waiting for
second and subsequent Responses to a multicast Request.

The client timer is set at different times to four different values:

TC1(Server)     The expected time required to receive a Response from
                the Server.  Set on initial Request transmission plus
                after its management module receives a NotifyVmtpClient
                operation, acknowledging the Request.

TC2(Server)     The estimated round trip delay between the client and
                the server.  Set when retransmitting after receiving no
                Response for TC1(Server) time and retransmitting the
                Request with the APG bit set.

TC3(Server)     The estimated maximum expected interpacket time for
                multi-packet Responses from the Server.  Set when
                waiting for subsequent Response packets within a packet
                group before timing out.

TC4             The time to wait for additional Responses to a group
                Request after the first Response is received.  This is
                specified by the user level.

These values are selected as follows.  TC1 can be set to TC2 plus a
constant, reflecting the time within which most servers respond to most
requests.  For example, various measurements of VMTP usage at Stanford
indicate that 90 percent of the servers respond in less than 200
milliseconds.  Setting TC1 to TC2 + 200 means that most Requests receive
a Response before timing out and also that overhead for retransmission
Top   ToC   RFC1045 - Page 22
for long running transactions is insignificant.  A sophisticated
implementation may make the estimation of TC1 further specific to the
Server.

TC2 may be estimated by measuring the time from when a Probe request is
sent to the Server to when a response is received.  TC2 can also be
measured as the time between the transmission of a Request with the APG
bit set to receipt of a management operation acknowledging receipt of
the Request.

When the Server is an entity group, TC1 and TC2 should be the largest of
the values for the members of the group that are expected to respond.
This information may be determined by probing the group on first use
(and using the values for the last responses to arrive).  Alternatively,
one can resort to default values.

TC3 is set initially to 10 times the transmission time for the maximum
transmission unit (MTU) to be used for the Response.  A sophisticated
implementation may record TC3 per Server and refine the estimate based
on measurements of actual interpacket gaps.  However, a tighter estimate
of TC3 only improves the reaction time when a packet is lost in a packet
group, at some cost in unnecessary retransmissions when the estimate
becomes overly tight.

The server timer, one per active Client, takes on the following values:

TS1(Client)     The estimated maximum expected interpacket time.  Set
                when waiting for subsequent Request packets within a
                packet group before timing out.

TS2(Client)     The time to wait to hear from a client before
                terminating the server processing of a Request.  This
                limits the time spent processing orphan calls, as well
                as limiting how out of date the server's record of the
                Client state can be.  In particular, TS2 should be
                significantly less than the minimum time within which it
                is reasonable to reuse a transaction identifier.

TS3(Client)     Estimated roundtrip time to the Client,

TS4(Client)     The time to wait after sending a Response (or last
                hearing from a client) before discarding the state
                associated with the Request which allows it to filter
                duplicate Request packets and regenerate the Response.

TS5(Client)     The time to wait for an acknowledgment after sending a
                Response before retransmitting the Response, or giving
Top   ToC   RFC1045 - Page 23
                up (after some number of retransmissions).

TS1 is set the same as TC3.

The suggested value for TS2 is TC1 + 3*TC2 for this server, giving the
Client time to timeout waiting for a Response and retransmit 3 Request
packets, asking for acknowledgments.

TS3 is estimated the same as TC1 except that refinements to the estimate
use measurements of the Response-to-acknowledgment times.

In the general case, TS4 is set large enough so that a Client issuing a
series of closely-spaced Requests to the same Server reuses the same
state record at the Server end and thus does not incur the overhead of
recreating this state.  (The Server can recreate the state for a Client
by performing a Probe on the Client to get the needed information.)  It
should also be set low enough so that the transaction identifier cannot
wrap around and so that the Server does not run out of CSR's.  We
suggest a value in the range of 500 milliseconds.  However, if the
Server accepts non-idempotent Requests from this Client without doing a
Probe on the Client, the TS4 value for this CSR is set to at least 4
times the maximum packet lifetime.

TS5 is TS3 plus the expected time for transmission and reception of the
Response.  We suggest that the latter be calculated as 3 times the
transmission time for the Response data, allowing time for reception,
processing and transmission of an acknowledgment at the Client end.  A
sophisticated implementation may refine this estimate further over time
by timing acknowledgments to Responses.


2.5.6. Rate Control

VMTP is designed to deal with the present and future problem of packet
overruns.  We expect overruns to be the major cause of dropped packets
in the future.  A client is expected to estimate and adjust the
interpacket gap times so as to not overrun a server or intermediate
nodes.  The selective retransmission mechanism allows the server to
indicate that it is being overrun (or some intermediate point is being
overrun).  For example, if the server requests retransmission of every
Kth block, the client should assume overrun is taking place and increase
the interpacket gap times.  The client passes the server an indication
of the interpacket gap desired for a response.  The client may have to
increase the interval because packets are being dropped by an
intermediate gateway or bridge, even though it can handle a higher rate.
A conservative policy is to increase the interpacket gap whenever a
packet is lost as part of a multi-packet packet group.
Top   ToC   RFC1045 - Page 24
The provision of selective retransmission allows the rate of the client
and the server to "push up" against the maximum rate (and thus lose
packets) without significant penalty.  That is, every time that packet
transmission exceeds the rate of the channel or receiver, the recovery
cost to retransmit the dropped packets is generally far less than
retransmitting from the first dropped packet.

The interpacket gap is expressed in 1/32nd's of the MTU packet
transmission time.  The minimum interpacket gap is 0 and the maximum gap
that can be described in the protocol is 8 packet times.  This places a
limit on the slowest receivers that can be efficiently used on a
network, at least those handling multi-packet Requests and Responses.
This scheme also limits the granularity of adjustment.  However, the
granularity is relative to the speed of the network, as opposed to an
absolute time.  For entities on different networks of significantly
different speed, we assume the interconnecting gateways can buffer
packets to compensate<2>. With different network speeds and intermediary
nodes subject to packet loss, a node must adjust the interpacket gap
based on packet loss.  The interpacket gap parameter may be of limited
use.


2.6. Security

VMTP provides an (optional) secure mode that protects against the usual
security threats of peeking, impostoring, message tampering and replays.
Secure VMTP must be used to guarantee any of the transport-level
reliability properties unless it is guaranteed that there are no
intruders or agents that can modify packets and update the packet
checksums.  That is, non-secure VMTP provides no guarantees in the
presence of an intelligent intruder.

The design closely follows that described by Birrell [1].  Authenticated
information about a remote entity, including an encryption/decryption
key, is obtained and maintained using a VMTP management operation, the
authenticated Probe operation, which is executed as a non-secure VMTP
message transaction.  If a server receives a secure Request for which
the server has no entity state, it sends a Probe request to the VMTP

_______________

<2>   Gateways must also employ techniques to preserve or intelligently
modify (if appropriate) the interpacket gaps.  In particular, they must
be sure not to arbitrarily remove interpacket gaps as a result of their
forwarding of packets.
Top   ToC   RFC1045 - Page 25
management module of the client, "challenging" it to provide an
authenticator that both authenticates the client as being associated
with a particular principal as well as providing a key for
encryption/decryption.  The principal can include a real and effective
principal, as used in UNIX <3>.  Namely, the real principal is the
principal on whose behalf the Request is being performed whereas the
effective principal is the principal of the module invoking the request
or remote procedure call.

Peeking is prevented by encrypting every Request and Response packet
with a working Key that is shared between Client and Server.
Impostoring and replays are detected by comparing the Transaction
identifier with that stored in the corresponding entity state record
(which is created and updated by VMTP as needed).  Message tampering is
detected by encryption of the packet including the Checksum field.  An
intruder cannot update the checksum after modifying the packet without
knowing the Key.  The cost of fully encrypting a packet is close to the
cost of generating a cryptographic checksum (and of course, encryption
is needed in the general case), so there is no explicit provision for
cryptographic checksum without packet encryption.

A Client determines the Principal of the Server and acquires an
authenticator for this Server and Principal using a higher level
protocol.  The Server cannot decrypt the authenticator or the Request
packets unless it is in fact the Principal expected by the Client.

An encrypted VMTP packet is flagged by the EPG bit  in the VMTP packet
header.  Thus, encrypted packets are easily detected and demultiplexed
from unencrypted packets.  An encrypted VMTP packet is entirely
encrypted except for the Client, Version, Domain, Length and Packet
Flags fields at the beginning of the packet.  Client identifiers can be
assigned, changed and used to have no real meaning to an intruder or to
only communicate public information (such as the host Internet address).
They are otherwise just a random means of identification and
demultiplexing and do not therefore divulge any sensitive information.
Further secure measures must be taken at the network or data link levels
if this information or traffic behavior is considered sensitive.

VMTP provides multiple authentication domains  as well as an encryption
qualifier to accommodate different encryption algorithms and their

_______________

<3>   Principal group membership must be obtained, if needed, by a
higher level protocol.
Top   ToC   RFC1045 - Page 26
corresponding security/performance trade-offs.  (See Appendix V.)  A
separate key distribution and authentication protocol is required to
handle generation and distribution of authenticators and keys.  This
protocol can be implemented on top of VMTP and can closely follow the
Birrell design as well.

Security is optional in the sense that messages may be secure or
non-secure, even between consecutive message transactions from the same
client.  It is also optional in that VMTP clients and servers are not
required to implement secure VMTP (although they are required to respond
intelligently to attempts to use secure VMTP).  At worst, a Client may
fail to communicate with a Server if the Server insists on secure
communication and the Client does not implement security or vice versa.
However, a failure to communicate in this case is necessary from a
security standpoint.


2.7. Multicast

The Server entity identifier in a message transaction can identify an
entity group, in which case the Request is multicast to every Entity in
this group (on a best-efforts basis).  The Request is retransmitted
until at least one Response is received (or an error timeout occurs)
unless it is a datagram Request.  The Client can receive multiple
Responses to the Request.

The VMTP service interface does not directly provide reliable multicast
because it is expensive to provide, rarely needed by applications, and
can be implemented by applications using the multiple Response feature.
However, the protocol itself is adequate for reliable multicast using
positive acknowledgments.  In particular, a sophisticated Client
implementation could maintain a list of members for each entity group of
interest and retransmit the Request until acknowledged by all members.
No modifications are required to the Server implementations.

VMTP supports a simple form of subgroup addressing.  If the CRE  bit is
set in a Request, the Request is delivered to the subgroup of entities
in the Server group that are co-resident with one or more entities in
the group (or individual entity) identified by the CoresidentEntity
field of the Request.  This is commonly used to send to the manager
entity for a particular entity, where Server specifies the group of such
managers.  Co-resident means "using the same VMTP module", and logically
on the same network host.  In particular, a Probe request can be sent to
the particular VMTP management module for an entity by specifying the
VMTP management group as the Server and the entity in question as the
CoResidentEntity.
Top   ToC   RFC1045 - Page 27
As an experimental aspect of the protocol, VMTP supports the Server
sending a group Response which is sent to the Client as well as members
of the destination group of Servers to which the original Request was
sent.  The MDG bit indicates whether the Client is a member of this
group, allowing the Server module to determine whether separately
addressed packet groups are required to send the Response to both the
Client and the Server group.  Normally, a Server accepts a group
Response only if it has received the Request and not yet responded to
the Client.  Also, the Server must explicitly indicate it wants to
accept group Responses.  Logically, this facility is analogous to
responding to a mail message sent to a distribution list by sending a
copy of the Response to the distribution list.


2.8. Real-time Communication

VMTP provides three forms of support for real-time communication, in
addition to its standard facilities, which make it applicable to a wide
range of real-time applications.  First, a priority is transmitted in
each Request and Response which governs the priority of its handling.
The priority levels are intended to correspond roughly to:

   - urgent/emergency.

   - important

   - normal

   - background.

with additional gradations for each level.  The interpretation and
implementation of these priority levels is otherwise host-specific, e.g.
the assignment to host processing priorities.

Second, datagram Requests allow the Client to send a datagram to another
entity or entity group using the VMTP naming, transmission and delivery
mechanism, but without blocking, retransmissions or acknowledgment.
(The client can still request acknowledgment using the APG bit although
the Server does not expect missing portions of a multi-packet datagram
Request to be retransmitted even if some are not received.)  A datagram
Request in non-streamed mode supersedes all previous Requests from the
same Client.  A datagram Request in stream mode is queued (if necessary)
after previous datagram Requests on the same stream.  (See Section
2.11.)

Finally, VMTP provides several control bit flags to modify the handling
of Requests and Responses for real-time requirements.  First, the
Top   ToC   RFC1045 - Page 28
conditional message delivery (CMD) flag causes a Request to be discarded
if the recipient is not waiting for it when it arrives, similarly for
the Response.  This option allows a client to send a Request that is
contingent on the server being able to process it immediately.  The
header checksum only (HCO) flag indicates that the checksum has been
calculated only on the VMTP header and not on the data segment.
Applications such as voice and video can avoid the overhead of
calculating the checksum on data whose utility is insensitive to typical
bit errors without losing protection on the header information.
Finally, the No Retransmission (NRT) flag indicates that the recipient
of a message should not ask for retransmission if part of the message is
missing but rather either use what was received or discard it.

None of these facilities introduce new protocol states.  In fact, the
total processing overhead in the normal case is a bit flag test for CMD,
HCO or NRT plus assignment of priority on packet transmission and
reception.  (In fact, CMD and NRT are not tested in the normal case.)
The additional code complexity is minimal.  We feel that the overhead
for providing these real-time facilities is minimal and that these
facilities are both important and adequate for a wide class of real-time
applications.

Several of the normal facilities of VMTP appear useful for real-time
applications.  First, multicast is useful for distributed, replicated
(fault-tolerant) real-time applications, allowing efficient state query
and update for (for example) sensors and control state.  Second, the DGM
or idempotent flag for Responses has some real-time benefits, namely:  a
Request is redone to get the latest values when the Response is lost,
rather than just returning the old values.  The desirability of this
behavior is illustrated by considering a request for the current time of
day.  An idempotent handling of this request gives better accuracy in
returning the current time in the case that a retransmission is
necessary.  Finally, the request-response semantics (in the absence of
streaming) of each new Request from a Client terminating the previous
message transactions from that Client, if any, provides the "most recent
is most important" handling of processing that most real-time
applications require.

In general, a key design goal of VMTP was provide an efficient
general-purpose transport protocol with the features required for
real-time communication.  Further experience is required to determine
whether this goal has been achieved.


(next page on part 2)

Next Section